Secure Collaboration in Global Computing Systems
by Christian Damsgaard Jensen
SECURE is a newly started IST project, partly carried out at Trinity College Dublin, which addresses secure collaboration among computational entities in emerging global computing systems.
The properties of these systems introduce new security challenges that are not adequately addressed by existing security models and mechanisms. The scale and uncertainty of this global computing environment invalidates existing security models. Instead, new security models have to be developed along with new security mechanisms that control access to protected resources.
The past decade has seen the globalisation of the information and communication infrastructure. At the same time, distributed systems have grown from company-wide networks to include global federations of independent and separately managed systems, eg, the Internet. Computing and communication capabilities are increasingly embedded into everyday objects; this means that we will soon be able to interact with billions of 'intelligent' devices whose owners we do not know and which we should not necessarily trust. The scale of such global computing systems means that security policy must encompass billions of potential collaborators. Mobile computational entities are likely to become disconnected from their home network, which requires the ability to make fully autonomous security decisions; they cannot rely on a specific security infrastructure such as certificate authorities and authorisation servers. Although a public key infrastructure may be used to reliably establish the identity of other collaborators, this identity conveys no a priori information about the likely behaviour of the principal. Identity alone therefore cannot be used for access control decisions, ie, all participants are virtually anonymous. This fact excludes the use of most access control mechanisms currently in use on the Internet. The dynamism of global computing systems means that computational entities which offer services will be confronted with requests from entities that they have never met before; mobile entities will need to obtain services within environments that are unfamiliar and possibly hostile. A party faced with such a complex world stands to benefit, but only if it can respond to new entities and assign meaningful privileges to them.
The challenges faced by mobile entities in a global computing system are not unlike those faced by human beings confronted with unexpected or unknown interactions with each other. Human society has developed the mechanism of trust to overcome initial suspicion and gradually evolve privileges. Trust has enabled collaboration amongst humans for thousands of years, so modelling trust offers an obvious approach to addressing the security requirements faced by the global computing infrastructure. Trinity College Dublin leads the SECURE project, which aims to develop a new trust-based security model for global computing systems; other partners in the SECURE project are the universities of Aarhus, Cambridge, Geneva and Strathclyde. The aim of the SECURE project is to develop a formal model in which trust relationships may be established on the basis of interaction between entities, together with a security mechanism expressed in terms of the trust model.
Trust is an elusive concept that defies stringent definition. However, we conjecture that a notion of trust can be realised in sufficient detail to be operational for a specific purpose, namely as the underlying principle for a security mechanism applicable in a global context. Trust has been proposed as a mechanism for reducing risk in unknown situations. The explicit use of trust as a defining principle for security models and policy specification makes trust relationships among entities explicit. Trust thus becomes the commodity that allows an entity facing an interaction in an unfamiliar environment to weigh the risks associated with particular actions. Conventional security mechanisms express policy in terms of the privileges allocated to individuals; role-based access control introduces a level of indirection, in which privileges derive from roles, and policy determines which individuals may enter each role. In either case the mapping from the trust model to the risks inherent in the allocation of privileges is implicit. SECURE proposes to establish a trust-based security model in which computational entities interact on a basis of (mutual) trust.
Interaction between entities may take many different forms. It is worth looking at one form of interaction in more detail. Suppose that a mobile entity needs to obtain a service from another entity within an unfamiliar environment. The entity that offers the service can identify the potential client, but its attributes and probable behaviour are unknown. We assume here that the functions of the service are categorised and their integrity protected by role-based access control. The service allows the potential client to enter role(s) on the basis of their mutual trust. The client can then make use of one or more of the functions of the service. This may place the client under an obligation, for example to make a micro-payment. When the interaction is complete each party records their experience of it, which will include information about the behaviour of the other.
The experience recorded by the service can be used in at least three ways. First, the service performes some function for the mobile entity on the basis of trust alone; the service can learn from the interaction to evolve the mapping between trust and role. Second, the record can be transferred to the mobile client, which can use it as a recommendation when approaching other entities. Finally, the record is available as evidence to modify the reputation of the mobile entity.
The accumulation of such experience is what allows trust to evolve. Trust is individually formed through an entity's observations of the behaviour of other entities; this allows interaction with unknown entities without prior configuration, a fundamental requirement for security in the global computing environment. In the scenario above we pictured a mobile client interacting with some service, but the essential feature is that the properties of each entity are unfamiliar to the other. The mobile entity will write its own account of the interaction, and may as a satisfied user offer it to the service. That record provides an alternative account of the interaction, and the combination of the two gives a lot of potential information.
Implicitly this scenario presents a rosy picture of a successful interaction, but a lot of things may go wrong. For example, the service may be performed imperfectly, or the client default on the payment in some way. Worse, the two entities may in fact be in collusion, and present fictitious but consistent accounts of the interaction in order to boost their joint reputation in the world at large.
The research presented above is defined in the context of collaboration among mobile users and intelligent devices in a global computing infrastructure. However, it is equally applicable to all areas with great risk and uncertainty and where it is difficult to establish a meaningful identity of other entities, eg, Internet collaboration, peer-to-peer networks, smart environments and e-commerce.
SECURE is a Future and Emerging Technologies project supported by the European Commission under contract IST-2001-32486.